/**
 * Webhook Endpoint Management
 *
 * CRUD operations for per-KB webhook endpoints. Each endpoint has a
 * randomly generated secret that is embedded in the webhook URL and
 * also serves as the HMAC signing key for GitHub payload verification.
 *
 * The secret is never stored in plaintext — only its SHA-256 hash is
 * persisted as the record's primary key for O(1) lookup.
 */
import type { WebhookEndpoint } from '../types.ts';
/**
 * Hash a webhook secret to produce the record ID.
 * SHA-256 is sufficient — these are high-entropy random tokens, not passwords.
 */
export declare function hashSecret(secret: string): string;
/**
 * Create a new webhook endpoint for a KB.
 *
 * Generates a random secret, stores the SHA-256 hash as the record ID,
 * and returns both the record and the plaintext secret (shown once).
 *
 * @throws If the KB does not exist
 */
export declare function createWebhookEndpoint(kbId: string, provider: string, label?: string, createdBy?: string): Promise<{
    endpoint: WebhookEndpoint;
    secret: string;
}>;
/**
 * Validate a webhook secret against a KB and provider.
 *
 * Hashes the secret, looks up the record, and verifies the kbId and
 * provider match. Returns the record if valid, null otherwise.
 */
export declare function validateWebhookSecret(secret: string, kbId: string, provider: string): Promise<WebhookEndpoint | null>;
/**
 * List all webhook endpoints for a KB.
 */
export declare function listWebhookEndpoints(kbId: string): Promise<WebhookEndpoint[]>;
/**
 * Delete a webhook endpoint.
 *
 * @throws If the endpoint does not exist or belongs to a different KB
 */
export declare function deleteWebhookEndpoint(id: string, kbId: string): Promise<void>;
//# sourceMappingURL=webhook-endpoints.d.ts.map